Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5364
Views
10
Helpful
7
Replies

ISE BYOD ANDROID ACL FOR GOOGLE PLAY

Go to solution
Simon Parlsjo
Level 1
Level 1

‎10-24-2016 11:26 AM - edited ‎03-11-2019 12:10 AM

Hi,

 

Is there anyone out there who has an ACL (DNS and IP) that works for google play access during the BYOD flow for Android.

I am located in Europe and there doesn’t seem to be any example that works.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Simon Parlsjo

‎10-26-2016 09:21 AM

So what happens when you try to run through the BYOD flow?

Thank you for rating helpful posts!

View solution in original post

0 Helpful
7 Replies 7

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-25-2016 10:24 AM

Hello Simon-

What does your ACL look like?

There are a couple of easy ways you can do this:

1. If you are running version 7.6 and later then you can use DNS based ACL entries. That way a single entry can permit the google play store

2. If #1 is not an option then you can make the provisioning ACL for google play less restrictive. For instance, my regular provisioning ACL is pretty locked down, but the one for Android blocks all of my internal networks (except ISE servers and DNS) and then permits all Internet access. 

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Go to solution
Simon Parlsjo
Level 1
Level 1
In response to nspasov

‎10-25-2016 11:38 PM

HI,

I have tried with a lot of diffrent URLs and IP ranges. Currently i'm trying with the following: 

DNS

  • Android.clients.google.*.*
  • Www.googleapis.*.*
  • Play.google.*.*
  • Ggpht.com.*.*
  • Android.pool.ntp.*.*
  • Market.android.*.*
  • Mtalk.google.*.*
  • *.android.clients.google.*.*
  • *.*.android.clients.google.*.*
  • *.gstatic.*.* (for bypassing internet check on Android - Disables mini-browser pop-up)

IP

  • 74.125.0.0/16
  • 173.194.0.0/16
  • 173.227.0.0/16
  • 206.111.0.0/16
  • 203.42.0.x/16
  • 8.35.0.0/16

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Simon Parlsjo

‎10-26-2016 09:21 AM

So what happens when you try to run through the BYOD flow?

Thank you for rating helpful posts!

0 Helpful

Go to solution
Simon Parlsjo
Level 1
Level 1
In response to nspasov

‎10-27-2016 12:10 AM

Hi

 

I accentliy marked this as answered. Is there a way to undo this?

 

With the ACL above I am not even able to access google play.

 

I also tried with the following and then I can go all the way to download. But when I tap the link to start the download it is stuck in Downloading state.

 

play.google.com

google.co

store.google.com

.googleapis.com

gstaic.com

accounts.youtube.com

dns.cisco.com

.appspot.com

ggpht.com

market.android.com

android.pool.ntp.org

google-analytics.com

.googleusercontext.com

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Simon Parlsjo

‎01-17-2017 08:58 PM

Hi Simon, I have the same issue we also tried to monitor the traffic in our firewall and put those IP addresses in the ACL or even put different DNS-based entries in the ACL.

Do you have now the fix for this? Thanks

0 Helpful

Go to solution
mumanika
Cisco Employee
Cisco Employee
In response to Simon Parlsjo

‎03-26-2019 08:03 AM

Having the same issue as you SImon, it seems to be stuck at the downloading state and not progressing further. Did you happen to find a solution for this?

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7

‎10-26-2016 09:40 AM

Also, be aware that not all AP's support DNS ACL's, and that before 8.2 it's my experience that DNS ACL's were a bit buggy. You might wan't to make sure DNS Snooping is actually being activated in the AP, and the WLC is recieving host/ip records from the AP's when you are doing the DNS lookup from your clients.

Customers Also Viewed These Support Documents